skip to content
Primary navigation

Proactive Risk Management

Employees are often the weakest link in an organization’s security defenses

Some of the most important security strategies work to prevent adverse security events from happening. With more advanced and persistent threats, large organizations typically run sophisticated tools to help manage cyber risks in real time. An example of one such tool is vulnerability management software, which helps security professionals find and fix security holes before hackers exploit them. Proactive risk management also includes understanding adversaries and designing solutions to combat known threat vectors, such as denial of service attacks. Finally, educating employees is an important preventive defense in an increasingly hostile world, where people are often hackers’ target of choice.

This plan also provides business leaders with a much better understanding of cybersecurity risks. MNIT will introduce cyber risk scorecards to our partner agencies’ leadership, providing them with ongoing metrics to understand and manage their risk posture. MNIT will also engage business leaders in cyber risk conversations during major system development projects.


1. Build Secure Applications

Hackers focus their efforts on business applications, a target of opportunity because they are often accessible from the Internet. Hackers also know that compromising an application can provide access to a treasure trove of backend data. Application security is extremely difficult to get right. Securing applications is technically challenging and now requires sophisticated tools and specialized training to avoid common pitfalls that hackers often exploit.

This strategy includes eight specific desired outcomes.

2. Conduct Continuous Risk Assessments

Minnesota must reassess the adequacy of technology controls, because risks to state systems and data constantly change. Hackers relentlessly search for new vulnerabilities in hardware, software, and network devices. Making changes to technology and business practices also can introduce new targets of opportunity for cyber criminals.

This strategy includes six specific desired outcomes.

3. Communicate Security Risks to Agency Leaders

Technology leaders must effectively communicate cybersecurity risks to agency business leaders, who are accountable for cybersecurity risk. Ensuring agency leaders have an understanding of their cybersecurity risk posture fosters a better partnership with Minnesota IT Services to protect state systems and data.

This strategy includes two specific desired outcomes.

4. Educate Employees about Cyber Risks

Today a large volume of security incidents and breaches result from insecure employee behaviors. Therefore, it is important to educate employees about cyber risks so that they understand what to do to protect state resources and data.

This strategy includes twelve specific desired outcomes.

5. Enforce Secure Baselines

Hardware and software delivered by vendors is often insecure by default. Recognizing this out-of-the-box security risk, hackers often target default hardware and software vulnerabilities to compromise systems and steal data. Defining secure configuration baselines and automated build scripts to harden commonly used hardware and software products will combat such attempts from opportunistic hackers. Hardened products promote strong and consistent security, meet regulatory requirements, and align with state policies and standards, thereby minimizing the attack surface available to hackers.

This strategy includes seven specific desired outcomes.

6. Improve Access Management

Identity and access management gives people the ability to fulfill their job duties while simultaneously protecting sensitive systems and data from harm. This extremely complicated security area includes:

  • Provisioning and managing user accounts
  • Granting and managing access to systems and data
  • Developing special controls for individuals with extremely powerful clearances
  • Organizing oversight encryption tools and processes

This strategy includes fourteen specific desired outcomes.

7. Prevent Exploitation of Vulnerabilities

Every computer system has or will have security vulnerabilities. After hackers discover and begin exploiting vulnerabilities, vendors typically take up to several days to update the discovery signatures in their software. MNIT needs to build more robust threat intelligence processes, commonly referred to as “zero day vulnerabilities,” to identify and begin remediation of vulnerabilities that are not discoverable with commercial tools. Continuous, proactive scans with special security tools to find and fix security holes mitigate the risk of hackers exploiting newly discovered vulnerabilities. Part of this strategy involves discovering innovative ways to continuously find and fix vulnerabilities in portable and IOT (Internet of things) devices, which are already a target of choice for hackers.

This strategy includes seven specific desired outcomes.

8. Validate Security Controls with Independent Assessors

Audits and assessments offer independent validation of the adequacy of security controls. This strategy continues efforts to use independent assessors to validate the adequacy of cybersecurity controls. Independent assessments also help demonstrate compliance with the wide array of regulatory requirements imposed on state agencies, such as:

  • Minnesota Government Data Practices Act
  • Criminal Justice Information Services Security Policy
  • Internal Revenue Service’s Publication 1075 Tax Information Security Guidelines for Federal, State and Local Agencies
  • Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules
  • Social Security Administration (SSA) Electronic Information Exchange Security Requirements and Procedures For State and Local Agencies
  • Payment Card Industry (PCI) Data Security Standards
  • Federal Information Security Management Act

This strategy includes five specific desired outcomes.

9. Prevent Denial of Service Attacks

When hackers use millions of computers to launch a Distributed Denial of Service (DDOS) attack against a service or entity, the barrage of nefarious traffic on the state’s wide area network degrades performance for everyone. Globally, these attacks are increasing in frequency and volume. The impact to an organization under direct attack can be devastating, and it often includes the complete loss of vital services.

This strategy includes three specific desired outcomes.

10. Obtain Coverage for Catastrophic Cyber Risks

Cybersecurity insurance helps mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and business system damage. Not a substitute for a robust security program, cybersecurity insurance addresses the reality that breaches happen and the resulting losses can be staggering.

This strategy includes two specific desired outcomes.

11. Design a Resilient Network

A key tenet of Information Security is defense in depth. A network provides additional layers of defense when it includes state of the art security tools and monitoring processes that smaller organizations simply could not afford when providing networking services on their own. A strong perimeter keeps out unwanted and potentially malicious traffic. Layers of internal segmentation better protect data and limit the impact of security incidents. Finally, oversight and management of an enterprise network will provide a cost-effective path to implement advanced security solutions, such as data loss prevention.

This strategy includes eight specific desired outcomes.

back to top